Skip to content

Fix required_code_scanning missing from terraform state #2701

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix required_code_scanning missing from terraform state #2701

wants to merge 1 commit into from

Conversation

stricklerxc
Copy link

@stricklerxc stricklerxc commented Jul 11, 2025
edited
Loading

Resolves #2556

Before the change?

  • required_code_scanning blocks would not persist in terraform state leading to a permadiff
  • in the terraform state file, the rules[].required_code_scanning entry would be null even though code scanning was configured on the ruleset. For example:
Example

ruleset.tf

  rules {
    required_code_scanning {
      required_code_scanning_tool {
        alerts_threshold          = "errors_and_warnings"
        security_alerts_threshold = "high_or_higher"
        tool                      = "Scorecard"
      }
    }
  }

terraform.tfstate

{
  "version": 4,
  "terraform_version": "1.12.2",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "github_organization_ruleset",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/integrations/github\"]",
      "instances": [
        {
          "rules": [
            {
              "required_code_scanning": null
            }
          ]
        }
      ]
    }
  ]
}

After the change?

  • required_code_scanning blocks persist in the terraform state. Subsequent executions of terraform plan without any changes do not lead to a diff.
  • in the terraform state file, the rules[].required_code_scanning is properly populated with the code scanning information. For example:
Example

ruleset.tf

  rules {
    required_code_scanning {
      required_code_scanning_tool {
        alerts_threshold          = "errors_and_warnings"
        security_alerts_threshold = "high_or_higher"
        tool                      = "Scorecard"
      }
    }
  }

terraform.tfstate

{
  "version": 4,
  "terraform_version": "1.12.2",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "github_organization_ruleset",
      "name": "example",
      "provider": "provider[\"registry.terraform.io/integrations/github\"]",
      "instances": [
        {
          "rules": [
            {
              "required_code_scanning": [
                {
                  "required_code_scanning_tool": [
                    {
                      "alerts_threshold": "errors_and_warnings",
                      "security_alerts_threshold": "high_or_higher",
                      "tool": "Scorecard"
                    }
                  ]
                }
              ],
            }
          ]
        }
      ]
    }
  ]
}

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@stricklerxc stricklerxc force-pushed the fix/code-scanning-state branch from cc9435f to d609a26 Compare July 11, 2025 22:53
@stricklerxc stricklerxc force-pushed the fix/code-scanning-state branch from d609a26 to df3ad10 Compare July 11, 2025 22:54
@stricklerxc stricklerxc marked this pull request as ready for review July 11, 2025 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG]: Plan incorrectly proposes change for repository ruleset code scanning results
1 participant
@stricklerxc